PT-2024-12113 · Taskcafe · Taskcafe

Name of the Vulnerable Software and Affected Versions: TaskCafe version 0.3.2 Description: The issue is related to a lack of validation in the Cookie value, which allows an unauthenticated attacker who knows a registered UserID to change the password of that user. This can be exploited by attacke...

CVE-2024-8875

A vulnerability classified as critical was found in vedees wcms up to 0.3.2. Affected by this vulnerability is an unknown functionality of the file /wex/finder.php. The manipulation of the argument p leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to t...

WCMS 路径遍历漏洞

WCMS is a content management system CMS from the individual developers at Vedegis. A path traversal vulnerability exists in WCMS version 0.3.2 and earlier, which stems from an unknown function in the /wex/finder.php file that improperly handles the parameter p, resulting in path traversal...

GHSA-6JRJ-VC65-C983 unzip-stream allows Arbitrary File Write via artifact extraction

Impact When using the Extract method of unzip-stream, malicious zip files were able to write to paths they shouldn't be allowed to. Patches Fixed in 0.3.2 References - https://snyk.io/research/zip-slip-vulnerability - https://github.com/mhr3/unzip-stream/compare/v0.3.1...v0.3.2 Credits Justin Taf...

Malicious code in artifact-lab-3-package-89883da3 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 dc3109f451995d11f0f2e99d58397d06ac2bb036df5ceb90425befb54ea10f14 Packages showing simple variants of revshell with targets to ngrok. Most probably experiments. Later versions moved to use Burp Collaborator to exfiltrate simp...

Popular Rust Crate liblzma-sys Compromised with XZ Utils Backdoor Files

"Test files" associated with the XZ Utils backdoor have made their way to a Rust crate known as liblzma-sys, new findings from Phylum reveal. liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying libra...

readthedocs-sphinx-search vulnerable to cross-site scripting when including search results from malicious projects

Impact This vulnerability could have allowed an attacker to include arbitrary HTML content in search results by having a user search a malicious project. This was due to our search client not correctly escaping all user content from search results. You can find more information in the advisory...

PT-2024-40529 · Unknown · Readthedocs-Sphinx-Search

Name of the Vulnerable Software and Affected Versions: readthedocs-sphinx-search versions prior to 0.3.2 Description: This issue could have allowed an attacker to include arbitrary HTML content in search results by having a user search a malicious project. The problem was due to the search client...

DiDi KnowSearch Security Breach

DiDi KnowSearch is a zero-intrusion, multi-tenant Elasticsearch GUI control platform built around clustering and indexing for Elasticsearch R&D and O&M staff at China's DiDi. A security vulnerability exists in didi KnowSearch versions 0.3.2 and 0.3.1.2, which stems from certain unknown processing...

WordPress HTTP Auth Plugin <= 0.3.2 is vulnerable to Cross Site Request Forgery (CSRF)

Software HTTP Auth Type Plugin Vulnerable versions = 0.3.2 Fixed in 1.0.0 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-27435 Patch priority Low CVSS severity Low 6.3 Developer Claim ownership PSID 3c605b41c95d Credits Mika Required privilege...

WordPress Mail Control Plugin <= 0.3.1 is vulnerable to Cross Site Scripting (XSS)

Software Mail Control Type Plugin Vulnerable versions = 0.3.1 Fixed in 0.3.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-3158 Patch priority Low CVSS severity Low 7.1 Developer Claim ownership PSID 0eca928a8cff Credits Alex Thomas Required...

WCMS 路径遍历漏洞

WCMS is a content management system CMS. A security vulnerability exists in WCMS version v.0.3.2. An attacker can exploit the vulnerability to execute arbitrary code via the wex/cssjs.php parameter...

PT-2023-23418 · Wcms · Wcms

Name of the Vulnerable Software and Affected Versions: Wcms version 0.3.2 Description: The issue allows an attacker to send a crafted request from a vulnerable web application backend server via the "finish" parameter and the textAreaCode parameter in the "/wcms/wex/html.php" endpoint. This enabl...

PT-2023-21905 · Dino +2 · Dino +2

Name of the Vulnerable Software and Affected Versions: Dino versions prior to 0.2.3 Dino versions 0.3.x prior to 0.3.2 Dino versions 0.4.x prior to 0.4.2 Description: The issue allows attackers to modify the personal bookmark store via a crafted message. This can lead to changing the display of...

Sql injection

A vulnerability classified as critical has been found in weblabyrinth 0.3.1. This affects the function Labyrinth of the file labyrinth.inc.php. The manipulation leads to sql injection. Upgrading to version 0.3.2 is able to address this issue. The identifier of the patch is...

GHSA-3633-5H82-39PQ Go-tuf Improperly handles multiple key IDs for the same public keys in attacker-controlled metadata

Issue If an attacker is able to control a threshold of keys to insert the same public key more than once with different key IDs into signed, trusted metadata on a TUF repository, then go-tuf clients 0.3.2 are susceptible to an attack where attackers can cause the same signature from the same publ...

GHSA-4MRX-6FXM-8JPG Buffer Overflow in vyper

Impact Importing a function from a JSON interface which returns bytes generates bytecode which does not clamp bytes length, potentially resulting in a buffer overrun. Patches 0.3.2 as of https://github.com/vyperlang/vyper/commit/049dbdc647b2ce838fae7c188e6bb09cf16e470b Workarounds Use .vy...

Vyper 缓冲区错误漏洞

Vyper is the Pythonic smart contract language for EVM. A security vulnerability exists in Vyper before 0.3.2, which stems from the fact that importing a function from a JSON interface that returns bytes generates bytecode with an unlimited byte length, potentially resulting in a buffer overflow...

PT-2022-16919 · Vyper · Vyper

Name of the Vulnerable Software and Affected Versions: Vyper versions prior to 0.3.2 Description: The return of .returns int128 is not validated to fall within the bounds of int128, which can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0, .returns...

CVE-2022-24787 Incorrect Comparison in Vyper

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. In version 0.3.1 and prior, bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one en...